Intro
TMKMS — tendermint key management system. Provides isolated signing key management for Tendermint applications including validators, oracles, IBC relayers, and other transaction signing applications.
What this means is that you can safely store your validator key separately from your validator node and continue to sign blocks.
For this experiment you will need to have 2 hosts: one that will be running neutron chain (validator node) and the other that will be signing blocks (tmkms node). You can use the same server you are using now for your validator node and get a new one for tmkms. Tmkms host doesn’t consume much resources, so it can be anything starting from 1cpu/1gb ram.
Install tmkms
After connecting to the tmkms node ( not the validator node ) let’s install all the required dependencies
sudo apt update && \
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh && \
source $HOME/.cargo/env && \
sudo apt install git build-essential ufw curl jq snapd --yes && \
apt install libusb-1.0-0-dev && \
export RUSTFLAGS=-Ctarget-feature=+aes,+ssse3
Let’s download and compile tmkms source code
cd $HOME && \
git clone https://github.com/iqlusioninc/tmkms.git && \
cd $HOME/tmkms && \
cargo install tmkms --features=softsign && \
tmkms init config && \
tmkms softsign keygen ./config/secrets/secret_connection_key
Note that we are using --features=softsign
. For better security ledger / yubihsm alternatives should be considered.
Now lets copy your priv_validator_key.json
to ~/tmkms/config/secrets
and import it like this:
tmkms softsign import $HOME/tmkms/config/secrets/priv_validator_key.json $HOME/tmkms/config/secrets/priv_validator_key
Next we should update config file $HOME/tmkms/config/tmkms.toml
to look like this
[[chain]]
id = "quark-1"
key_format = { type = "cosmos-json", account_key_prefix = "neutronpub", consensus_key_prefix = "neutronvalconspub" }
state_file = "/root/tmkms/config/state/priv_validator_state.json"
[[providers.softsign]]
chain_ids = ["quark-1"]
key_type = "consensus"
path = "/root/tmkms/config/secrets/priv_validator_key"
[[validator]]
chain_id = "quark-1"
addr = "tcp://65.21.107.203:688" # validator tcp://ip:port
secret_key = "/root/tmkms/config/secrets/secret_connection_key"
protocol_version = "v0.34"
reconnect = true
Make sure to use your validator ip for addr
option.
Update validator node config
At your valicator node set priv_validator_laddr
in $HOME/.neutrond/config/config.toml
to have a proper port, specified in tmkms.toml
in validator node.
Comment out priv_validator_key_file
and priv_validator_state_file
in the same file.
Start signing with TMKMS
Stop your validator node, you can also rename or move priv_validator_key.json
to another place.
Start tmkms process by running (note it is much more reliable to run it as a service)
tmkms start -c $HOME/tmkms/config/tmkms.toml
You should see the following logs for tmkms node.
After your neutron node is started, tmkms logs should be like this
Remove priv_validator_key.json
from your validator and tmkms nodes, store it safely offline. And that’s it, now you are signing blocks from another node.
Observations
I’ve being testing it for several days, noticed minor uptime drop, around 0.02%. For the tmkms node I was using 3vcpu/4gb ram host located in Germany, while my neutron node was located in Helsinki. Suspect, that having both nodes in one dc would decrease uptime drop.
Resource utilization for tmkms node can be found below
The only minor difference is traffic increase around 16:00 which was expected